Active Directory Security

there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?

First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.

What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.

I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

Featured Post

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…